Chat now with support
Chat with Support

Identity Manager 8.0 - Target System Base Module Administration Guide

Example for Implementing Several Account Definitions with a Target System Type

If several target systems are managed using account definitions in a target system type, a separate account definition must be set up for each target system. When the employee is assigned both account definitions, subsequent script and process handling ensure that the employee obtains the user accounts in both target systems.

Example 1

There are two domains in an Active Directory environment. The employees can only have a user account in one of the domains. The department operational data is used to determine whether the user account is created in domain A or domain B.

Create an account definition A for domain A and an account definition B for domain B and assign them the manage level "Full managed". This manage level uses the One Identity Manager default templates to determine the IT operating data. Specify the property "department" for both account definitions in the IT operating data formatting rule for finding the valid IT operating data.

If the employee belongs to department A, they obtain (by dynamic assignment, for example) the account definition A and the resulting user account is in domain A. If the employee belongs to department B, they are issued the account definition B and a user account in domain B.

Figure 3: Creating User Accounts based on Account Definitions

Example 2

There are two domains in an Active Directory environment. The employees can have a user account in both of the domains. The user account in domain A is allocated IT operating data through the employee’s department. The user account in domain B is allocated IT operating data through the employee’s primary business role.

Create an account definition A for domain A and an account definition B for domain B and assign them the manage level "Full managed". The manage level "Full Managed" uses One Identity Manager default templates to determine the IT operating data. Specify the property "department" for account definition A in the IT operating data formatting rule for finding the valid IT operating data. Specify the property "business role" for account definition B in the IT operating data formatting rule for finding the valid IT operating data.

Figure 4: Creating User Accounts based on Account Definitions

Automatic Assignment of Employees to User Accounts

Automatic employee assignment is used to:

  • Assign existing employees to user accounts
  • Create employee master data based on existing user accounts

Through synchronization user accounts are initially loaded from the target system into One Identity Manager. Automatic assignment of user accounts to existing employees can take place by subsequently modifying scripts and processes. If necessary, new employees can be created based on existing user accounts to which they are then assigned. This method, however, is not the One Identity Manager default method. You can also use this procedure to create employee data from existing target system user accounts during synchronization.

If you run this procedure during working hours, automatic assignment of employees to user accounts takes place from that moment onwards. If you disable the procedure again later, the changes only affect user accounts added or updated after this point in time. Existing employee assignment to user accounts remain intact.

The criterion for automatically assigning employees to user accounts can be customized to meet the company’s needs. Employees can be directly assigned to existing user accounts as required, based on a suggestion list.

Run the following tasks to assign employees automatically.

  • Set the configuration parameter for automatic assignment of employees to user accounts in the Designer and select the desired mode.
  • Define search criteria for the employee assignment.
  • If managed user accounts should arise through automatic employee assignment, assign an account definition to the target system. Ensure the manage level to be used is entered as default automation level.

    User accounts are only linked to the employee (state "Linked") if no account definition is given in the target system. This is the case on initial synchronization, for example.

Related Topics

Configuring Automatic Employee Assignment

Configuring Automatic Employee Assignment

In the One Identity Manager default installation, the automatic assignment of employees to user accounts is controlled by the configuration parameters shown below and is globally effective for a target system type. A distinction is made here between the synchronization and the default methods.

NOTE:

The following applies for synchronization:

  • Automatic employee assignment takes effect if user accounts are added or updated.

The following applies outside synchronization:

  • Automatic employee assignment takes effect if user accounts are added.

Note: The configuration parameters are included in the One Identity Manager modules and are available once the modules are installed.
Table 5: Configuration Parameter for Automatic Employee Assignment
Target system type Configuration parameter
Active Directory TargetSystem\ADS\PersonAutoDefault
TargetSystem\ADS\PersonAutoFullSync
LDAP TargetSystem\LDAP\PersonAutoDefault
TargetSystem\LDAP\PersonAutoFullSync
IBM Notes TargetSystem\NDO\PersonAutoDefault
TargetSystem\NDO\PersonAutoFullSsync
SAP R/3 TargetSystem\SAPR3\PersonAutoDefault
TargetSystem\SAPR3\PersonAutoFullSync
SharePoint TargetSystem\SharePoint\PersonAutoDefault
TargetSystem\SharePoint\PersonAutoFullSync
Unix-Based Target Systems TargetSystem\Unix\PersonAutoDefault
TargetSystem\Unix\PersonAutoFullSync

Azure Active Directory

TargetSystem\AzureAD\PersonAutoDefault

 

TargetSystem\AzureAD\PersonAutoFullsync

Each configuration parameter has one of the permitted modes:

  • NO

    No automatic assignment of employees to user accounts takes place. This is the default value that is also displayed when the configuration parameter is not active.

  • SEARCH

    If an employee is not assigned, the matching employee is searched for based on defined criteria, and the employee found is assigned to the user accounts. If an employee is not found, no new employee is added.

  • CREATE

    If the user account is not assigned to an employee, a new employee is always added, some of the properties initialized, and the employee is assigned to the user account.

    NOTE: This mode is not available for the target system type SharePoint and Unix-based target systems.
  • SEARCH AND CREATE

    If an employee is not assigned, the matching employee is searched for based on defined criteria, and the employee found is assigned to the user accounts. If no employee is found, a new one is added, some of the properties are initialized, and the employee is assigned to the user account.

    NOTE: This mode is not available for the target system type SharePoint and Unix-based target systems.

If a user account is linked to an employee through the current mode, the user account is given, through an internal process, the default manage level of the account definition entered in the user account's target system. You can change this manage level later.

NOTE: Following synchronization, employees are automatically created for user accounts in the default installation. If there are no account definitions for the target system at the time of synchronization, user accounts are linked to employees. However, account definitions are not assigned. The user accounts are, therefore, in a "Linked" state.

To select user accounts through account definitions

  1. Create an account definition.
  2. Assign an account definition to the target system.
  3. Assign the account definition and manage level to the user accounts in a "linked" state.
    1. Select the category Custom target systems | <target system> | User accounts | Linked but not configured | <target system>.
    2. Select the task Assign account definition to linked accounts.

The configuration parameters are evaluated in the One Identity Manager default installation insert and update processes. These are target system dependent and thus determine the execution mode. The names of the corresponding processes are Search and Create Person for Account and Search and Create Person for Account (Fullsync). Process steps can be used as templates to put into effect the automatic employee assignment in different areas of a target system, such as, the separate domains of a Active Directory environment.

Editing Search Criteria for Automatic Employee Assignment

Editing Search Criteria for Automatic Employee Assignment

Criteria for employee assignment are defined in the target system. In this case, you specify which user account properties must match the employee’s properties such that the employee can be assigned to the user account. You can limit search criteria further by using format definitions. The search criteria are written in XML notation in the column "Search criteria for automatic employee assignment" (AccountToPersonMatchingRule) of the target system table.

Search criteria are evaluated when employees are automatically assigned to user accounts. Furthermore, you can create a suggestion list for assignments of employees to user accounts based on the search criteria and make the assignment directly.

NOTE: When the employees are assigned to user accounts on the basis of search criteria, user accounts are given the default manage level of the account definition entered in the user account's target system. You can customize user account properties depending on how the behavior of the manage level is defined.

It is not recommended to make assignment to administrative user accounts based on search criteria. Use the task Change master data to assign employees to administrative user account for the respective user account.

NOTE: One Identity Manager supplies a default mapping for employee assignment. Only carry out the following steps when you want to customize the default mapping.

To open the employee assignment form

  1. Open the category Target system type | <target system>.
  2. Select the target system in the result list.
  3. Click Define search criteria for employee assignment.

Figure 5: Define Search Criteria for Employee Assignment

To define search criteria for employee assignment

  1. Select the object type for the mapping.

    Object types are user accounts with certain properties, for example "Active Directory contacts" or "Disabled Notes user accounts".

    1. To add a new object type, click Add | Criteria. Select the object type for which to define the search criteria using the Apply to menu.

      The search criteria is applied to all user accounts if no object type is selected.

    2. To change the object type on an existing search criteria, mark the search criteria in "Search criteria". Select the object type for which to define the search criteria using the Apply to menu.

      If the existing selection is removed, the search criteria is applied to all user accounts.

  2. Select the object properties to map.
    • Column on Employee

      Select the column in the Person table against which to run the search.

    • Column on User Account

      Select the column in the user account table which returns the value for the employee search.

  3. Define the formatting rule to limit the search criteria.

    Select a formatting rule in the Add format menu. Define the formatting rule to apply to the search string. You can combine different format templates.

    Table 6: Format Templates
    Format template Meaning
    Character range Characters in the search string to be used in the search criteria.
    Crop to fixed length Length of the search string. Use fill characters at the beginning or end of the string to ensure it reaches the fixed length.
    Remove leading or trailing characters Characters to be removed at the beginning or the end of the string. The remaining string forms the search criteria.
    Split value Characters defining the place to split the string and which part of string should be used as search criteria.
  4. Test the format rules.

    Enter a string "Format preview" to which to apply the search. Use this to test the effects of your search criteria formatting.

  5. Apply the formatting rules.

    Enable Use format on the columns on which to limit the search criteria.

  6. Save the changes.

Different object properties can be joined for search criteria. Both AND and OR operators can be used.

Example for AND

To assign employees to Notes user accounts, the surname as well as first name must be the same for the employee and the user account. The following table columns are mapped:

AND

Person.Firstname – NotesUser.Firstname

Person.LastName – NotesUser.LastName

Example for an OR operation.

To assign employees to Active Directory user accounts, either the employee's central user account and the user account's login name must be identical or the employee's full name and the user account's display name. The following table columns are mapped:

OR

Person.CentralAccount – ADSAccount.SAMAccountName

Person.InternalName – ADSAccount.DisplayName

To link object properties in search criteria

  1. Mark the operator to which to add another object property in "Search criteria". Click Change operator to select the operator for the link.
  2. Click Add | Criteria.
  3. Select the object properties to map.
  4. Select the object properties to be mapped.
  5. If you want to nest links, click Add | AND operator or Add | OR operator and rerun steps 2 to 4.
  6. Save the changes.

To delete search criteria

  1. Mark the search criteria and click Delete.
  2. Save the changes.
Direct Assignment of Employees to User Accounts Based on a Suggestion List

You can create a suggestion list in the "Assignments" view for assignments of employees to user accounts based on the search criteria. User accounts are grouped in different views for this.

Table 7: Manual Assignment View
View Description
Suggested assignments This view lists all user accounts to which One Identity Manager can assign an employee. All employees are shown who were found using the search criteria and can be assigned.
Assigned user accounts This view lists all user accounts to which an employee is assigned.
Without employee assignment This view lists all user accounts to which no employee is assigned and for which no employee was found using the search criteria.

TIP: By double-clicking on an entry in the view, you can view the user account and employee master data.

To apply search criteria to user accounts

  • Click Reload.

    All possible assignments based on the search criteria are found in the target system for all user accounts. The three views are updated.

To assign employees directly over a suggestion list

  1. Click Suggested assignments.
    1. Click Select for all user accounts to be assigned to the suggested employee. Multi-select is possible.
    2. Click Assign selected.
    3. Confirm the security prompt with Yes.

      The selected user accounts are assigned to the employees found using the search criteria.

    – OR –

  2. Click No employee assignment.
    1. Click Select employee... for the user account to which you want to assign the employee. Select an employee from the menu.
    2. Click Select for all user accounts to which you want to assign the selected employees. Multi-select is possible.
    3. Click Assign selected.
    4. Confirm the security prompt with Yes.

      This assigns the selected user accounts to the employees shown in the "Employee" column.

To remove assignments

  1. Click Assigned user accounts.
    1. Click Select for all user accounts whose employee assignment you want to remove. Multi-select is possible.
    2. Click Delete selected.
    3. Confirm the security prompt with Yes.

      The assigned employees are deleted from the selected user accounts.

Related Documents